Plan to Counterattack Hackers Draws More Fire
Now that Symbiot, Inc. has released information on its plans to enable companies to counterattack digital threats, some security analysts have stepped up their concerns that it could cause more problems than it solves.
Symbiot's founders are looking to fight back against hackers, virus writers and denial-of-service attacks by launching counterattacks. It's no longer enough to protect a company's perimeter, they say; it's time for the attacked to become the attackers.
But members of the security community are raising concerns that striking back at attackers not only leaves the company open to legal problems, but could double the strain on associated networks, ISPs and Internet hubs. They also say it aims the guns directly at innocent victims of computer viruses.
''Vigilantism didn't work in the wild west and electronic vigilantism is likely to be just as distasteful,'' says George Bakos, a senior security expert with the Institute for Security Technology Studies at Dartmouth College. ''The desire to take action does not justify contributing to the problem... At what point does the escalation stop?''
However, what had people talking was the company's claim that it was going to enable counterstrikes. But details of what those strikes would entail weren't released until late last week.
In a written statement, Symbiot executives say there are many levels of response that can be used against an attacker. Before there would be any response, however, they say the software would check several things, such as risk metrics, reconnaissance, surveillance and confirming identification.
Once that is done, if the intensity, duration and effect of the attack is great enough, the corporate IT or security manager can use countermeasures. Those countermeasures go from benignly blocking traffic or diverting traffic to more aggressive maneuvers like sending the packet content used in the attack back at the attacker.
But the tool goes one step further.
It also enables the IT or security manager to obtain access privileges on the attacker's system and then go in and disable, destroy or seize control of his assets. The IT manager also could launch a counterstrike that would send exploits specific to vulnerabilities on the attacker's machine.
And, finally, the software allows for preemptive strikes on a source known to be orchestrating attacks. ''This retaliation could be far in excess of the attack that the aggressor has underway,'' according to a written statement on the Symbiot Web site.
Symbiot executives could not be reached for this story, but there is a warning posted on the site about legal issues involved with launching an attack. ''Symbiot is continually evaluating the legal aspects of these more aggressive countermeasures... We stress that our customers should obtain appropriate advice and information to make decisions that will not violate applicable laws. In some instances, availability of these countermeasures may be restricted.''
To hear why some analysts are calling the plan dangerous, continue on to the next page...
March 16, 2004
The author of the virulent Bagle worm is leading anti-virus analysts on a chase that is pummeling corporate IT managers and users with one attack after another. And the author is still tricking users into downloading the malicious code.